Participants
Jim Mercer
Jim Mercer
Oliver Elphick
Oliver Elphick
Peter Eisentraut
Peter Eisentraut
Attachments
Show all attachments
Thread Outline
#1Jim MercerJim Mercer
Mar 30, 2001
#2Oliver ElphickOliver Elphickto Jim Mercer (#1)
Mar 31, 2001
#3...#4
Peter EisentrautJim Mercer
to Jim Mercer (#1)
Mar 31, 2001
#3Peter EisentrautPeter Eisentrautto Jim Mercer (#1)
Mar 31, 2001
#4Jim MercerJim Mercerto Peter Eisentraut (#3)
Mar 31, 2001

pg_hba.conf and crypt/password

Started by Jim Mercerabout 25 years ago4 messagesgeneral
Jump to latest
#1Jim Mercer
Jim Mercer
jim@reptiles.org

i seem to recall setting this up before, but now i can't seem to
get passwords working the way i want.

i'm running 7.0.3 on FreeBSD 4.3-RC.

i've set the entry in pg_hba.conf to both "crypt" and "password".

i've used "ALTER USER pgsql WITH PASSWORD 'test';

regardless of "crypt" or "password", psql allows entry using "test".

what i want is for the pg_shadow file to contain encrypted passwords like
/etc/passwd, and for the server to encrypt the plain text password handed
to it and compare with the crypto-gunge in pg_shadow.

is this not what "crypt" is supposed to do?

--
[ Jim Mercer jim@pneumonoultramicroscopicsilicovolcanoconiosis.ca ]
[ Reptilian Research -- Longer Life through Colder Blood ]
[ aka jim@reptiles.org +1 416 410-5633 ]

#2Oliver Elphick
Oliver Elphick
olly@lfix.co.uk
In reply to: Jim Mercer (#1)
Re: pg_hba.conf and crypt/password

Jim Mercer wrote:

i seem to recall setting this up before, but now i can't seem to
get passwords working the way i want.

i'm running 7.0.3 on FreeBSD 4.3-RC.

i've set the entry in pg_hba.conf to both "crypt" and "password".

i've used "ALTER USER pgsql WITH PASSWORD 'test';

regardless of "crypt" or "password", psql allows entry using "test".

what i want is for the pg_shadow file to contain encrypted passwords like
/etc/passwd, and for the server to encrypt the plain text password handed
to it and compare with the crypto-gunge in pg_shadow.

is this not what "crypt" is supposed to do?

'crypt' encrypts the password during transmission; apart from that there
is no difference from 'password'.

--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"If we confess our sins, he is faithful and just to
forgive us our sins, and to cleanse us from all
unrighteousness." I John 1:9

Import Notes
Reply to msg id not found: MessagefromJimMercerjim@reptiles.orgofFri30Mar2001175032CDT.20010330175032.L29550@reptiles.org | Resolved by subject fallback
#3Peter Eisentraut
Peter Eisentraut
peter_e@gmx.net
In reply to: Jim Mercer (#1)
Re: pg_hba.conf and crypt/password

Jim Mercer writes:

i seem to recall setting this up before, but now i can't seem to
get passwords working the way i want.

i'm running 7.0.3 on FreeBSD 4.3-RC.

i've set the entry in pg_hba.conf to both "crypt" and "password".

i've used "ALTER USER pgsql WITH PASSWORD 'test';

regardless of "crypt" or "password", psql allows entry using "test".

This is correct.

what i want is for the pg_shadow file to contain encrypted passwords like
/etc/passwd, and for the server to encrypt the plain text password handed
to it and compare with the crypto-gunge in pg_shadow.

This is not possible.

is this not what "crypt" is supposed to do?

Crypt encrypts the password on the wire, not in the storage.

--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/

#4Jim Mercer
Jim Mercer
jim@reptiles.org
In reply to: Peter Eisentraut (#3)
Re: pg_hba.conf and crypt/password

On Sat, Mar 31, 2001 at 10:31:36AM +0200, Peter Eisentraut wrote:

what i want is for the pg_shadow file to contain encrypted passwords like
/etc/passwd, and for the server to encrypt the plain text password handed
to it and compare with the crypto-gunge in pg_shadow.

This is not possible.

i had a look at the code, and figured i wanted similar behaviour for:

host all 127.0.0.1 255.255.255.255 password /dir/passwd.file

but, rather than have a file, i wanted to use pg_shadow with encrypted
passwords.

so the following patch allows for:

host all 127.0.0.1 255.255.255.255 password pg_shadow

where "pg_shadow" is a special key (like "ident sameuser") to set up this
behaviour.

the patch is done in such a way that it will not impact existing installations

--
[ Jim Mercer jim@pneumonoultramicroscopicsilicovolcanoconiosis.ca ]
[ Reptilian Research -- Longer Life through Colder Blood ]
[ aka jim@reptiles.org +1 416 410-5633 ]

*** auth.c.orig	Fri Mar 30 19:37:08 2001
--- auth.c	Fri Mar 30 19:28:20 2001
***************
*** 695,701 ****
  static int
  checkPassword(Port *port, char *user, char *password)
  {
! 	if (port->auth_method == uaPassword && port->auth_arg[0] != '\0')
  		return verify_password(port->auth_arg, user, password);
  	return crypt_verify(port, user, password);
--- 695,702 ----
  static int
  checkPassword(Port *port, char *user, char *password)
  {
! 	if (port->auth_method == uaPassword && port->auth_arg[0] != '\0'
! 			&& strcmp(port->auth_arg, "pg_shadow") != 0)
  		return verify_password(port->auth_arg, user, password);
  	return crypt_verify(port, user, password);
*** crypt.c.orig	Fri Mar 30 19:38:26 2001
--- crypt.c	Fri Mar 30 19:39:07 2001
***************
*** 280,287 ****
  	 * authentication method being used for this connection.
  	 */

! crypt_pwd =
! (port->auth_method == uaCrypt ? crypt(passwd, port->salt) : passwd);

  	if (!strcmp(pgpass, crypt_pwd))
  	{
--- 280,294 ----
  	 * authentication method being used for this connection.
  	 */

! if (port->auth_method == uaCrypt)
! crypt_pwd = crypt(passwd, port->salt);
! else
! {
! /* if port->auth_arg, encrypt password from client before compare */
! if (port->auth_arg[0] != 0)
! pgpass = crypt(pgpass, passwd);
! crypt_pwd = passwd;
! }

if (!strcmp(pgpass, crypt_pwd))
{

← Back to Topics